Managing PCoIP Management Console Certificates

This section contains information on how to manage your PCoIP Management Console certificates, including custom certificate requirements, creation, upload, update, and general management of certificates.

Important: Generate your own custom certificate

The PCoIP Management Console is shipped with a default Teradici self-signed certificate. Teradici strongly recommends that you generate your own certificates signed by a recognized certificate authority (CA), and then update both your PCoIP Management Console and your endpoints with the certificates before configuring a discovery method or adding endpoints to your PCoIP Management Console.

Custom Certificate Requirements

The certificate loaded onto the PCoIP Management Console for use as the PCoIP Management Console web interface certificate and for endpoint management must meet the following requirements:

  • It must be a X.509 certificate in PEM format. Three PEM files are needed to install the certificate into the PCoIP Management Console:

    • The first file contains only the PCoIP Management Console public certificate.

    • The second file contains only the PCoIP Management Console certificate’s private key.

    • The third file contains the PCoIP Management Console certificate’s issuing chain (intermediate CAs, if applicable, and root CA).

  • The certificate must be valid, meaning that the current time is after the 'not valid before' time and before the 'not valid after' time.

  • The PCoIP Management Console certificate’s RSA key must be 1024 bit or greater. The recommended length is 2048 bits.

  • If the PCoIP Management Console certificate contains an Enhanced Key Usage extension, it must include the Server Authentication usage. It is also acceptable for the certificate to not include an Enhanced Key Usage extension.

  • The certificate must have an entire verifiable chain. Any certificate used to sign the leaf certificate must be present in the chain.

Creating and Preparing Your Own PCoIP Management Console Certificate

This section demonstrates how to create and submit your own certificate using OpenSSL and your own CA via the PCoIP Management Console VM.

Note: Examples use Teradici's PCoIP Management Console name

All the following examples use Teradici's PCoIP Management Console name. Replace any name with your own.

Step 1: Ensure Your PCoIP Management Console Does Not Have Any Custom Certificates Installed

To make sure you don't have custom certificates installed:

  1. Log into the PCoIP Management Console web interface.

  2. Go to SETTINGS > SECURITY > CERTIFICATES and ensure the default certificate is installed by confirming:

  3. Security Certificate fields Subject and Issued By are populated with localhost. (see #1)

  4. Security Chain fields are empty. (see #2)

    Info: Custom Certificates

    The Security Certificate and Security Chain fields of custom certificates will be populated by data that does not include localhost and will not have empty values.

    Security Certificate Page

Step 2: Connect and Enable SSH to Create Your Certificate via the PCoIP Management Console virtual machine

You will need to enable SSH prior to creating your certificate. See Accessing the PCoIP Management Console Virtual Machine Console.

Note: Run OpenSSL on a 'Trusted' computer

OpenSSL can be run on any 'Trusted' computer.

To create your certificate:

  1. SSH into the PCoIP Management Console using your preferred SSH client. The example shown next uses PuTTY.

  2. Run the OpenSSL command:
    openssl req -out CSR.csr -new -newkey rsa:3072 -nodes -keyout privateKey.pem

  3. You will get the following response and be asked a series of questions, as shown next:

    OpenSSL

  4. Modify each entry with your own detailed information. Descriptions are shown next:

    • Country Name: Your country

    • State of Province Name: Your state or province

    • Locality Name: Your city

    • Organization Name: Your company

    • Organizational Unit Name: Your department

    • Common Name: Your PCoIP Management Console Name (for example, hostname of PCoIP Management Console - se-pcoip-mc-200)

    • Email Address: you@yourcompany.com

    • A challenge password: Your password

    • An optional company name: Optional

  5. Press Enter.

  6. Two files will be generated in the admin folder: privateKey.pem and CSR.csr.

Step 3: Submit Your Certificate

Caution: Certificates with Private Key

Do not send certificates containing your private key to the CA. A certificate with private key should not be sent outside your organization. The private key provides access to your secured resources and should remain under tight control.

To submit your certificate:

  1. Using a file management tool of your choice, copy the two files off of your PCoIP Management Console.

  2. Take the generated CSR.csr and send it to your CA (https://mycertserver.mydomain.local/certsrv).

  3. Select Request a Certificate.

  4. Select Advanced Certificate Request.

  5. Copy the CSR.csr certificate and send it to the CA. The content will be Base-64 encoded.

    Note: Using text editor to copy the Certificate Signing Request

    You can rename CSR.csr to CSR.csr.txt to open it in Notepad and copy the content.

  6. For Certificate Template, select Web Server.

  7. Do not add anything in the attributes box.

  8. Click Submit.

Step 4: Download and Prepare the Certificate

To download and prepare the certificate:

  1. You can now download the created certificate from the CA. However, do not download the certificate chain as it is still in the wrong format. The certificate will show up as certnew.cer.

  2. Rename certnew.cer to certnew.pem.

  3. Get a copy of the CA certificate from the certificate server in Base64. The CA will return a certificate that will be used as part of the chain.

  4. Create a new certificate called chain.pem by combining the contents of certnew.pem with CA.pem.

    Note: Using Notepad to combine the certificates

    You can create text file of each certificate to help combine the two certificates. To edit certificates, change their extension to .txt. Teradici recommends creating a new file with .txt extension. Place the CA.pem content under the certnew.pem content in the combined certificate.

  5. Rename the combine certificate back to .pem. All certificates must be in .pem format before uploading into the PCoIP Management Console.

  6. Now, you will have three certificates:

    • certnew.pem: The certificate returned from the CA
    • privateKey.pem: The certificate from the Linux command
    • chain.pem: The combination of certnew.pem and CA.pem

    Note: CA.pem is not uploaded into the PCoIP Management Console

    The CA.pem creates the chain certificate (chain.pem). While uploading CA.pem into PCoIP Management Console is not required, ensure its content is correct.

Uploading Your Own PCoIP Management Console Certificates

This section explains how to upload your own certificates to the PCoIP Management Console and to endpoints that require a PCoIP Management Console certificate before discovery. If you wish to avoid browser certificate warnings when you access the PCoIP Management Console’s web interface, you can also install the PCoIP Management Console certificate in your browser.

Important: Use the following sequence if you are installing certificates before adding endpoints

If you are installing your own PCoIP Management Console certificates before you have added endpoints to the PCoIP Management Console, please follow the instructions in the order shown. If you need to update your PCoIP Management Console certificates for any reason after the PCoIP Management Console has already discovered your endpoints, the order of this procedure is slightly different. See Updating PCoIP Management Console Certificates after Endpoint Discovery for details.

The PCoIP Management Console requires the following certificates:

Note: All certificates must be in PEM format

All PCoIP Management Console certificates must be issued in PEM format.

  • PCoIP Management Console server’s certificate (*.pem): Contains the public key. The PCoIP Management Console’s public key certificate fingerprint is also used for DHCP/DNS endpoint discovery.

  • PCoIP Management Console server’s private key certificate (*.pem): Contains the private key.

  • PCoIP Management Console chain certificate (*.pem): Contains the root certificate and any intermediate certificates used to issue PCoIP Management Console server certificates.

Step 1: Upload Your PCoIP Management Console Certificates to the PCoIP Management Console

Note: Uploading Certificates causes the application to restart

Uploading a certificate signs out all PCoIP Management Console users and causes the PCoIP Management Console application to restart. Users will not be able to access the PCoIP Management Console for one to two minutes.

To upload your certificates to the PCoIP Management Console:

  1. From the PCoIP Management Console’s top menu, click SETTINGS.

  2. Click SECURITY in the left pane and select the CERTIFICATES tab in the SECURITY pane to the right.

  3. Click UPDATE.

  4. Click SELECT CERTIFICATE, select the PCoIP Management Console’s public key certificate file (*.pem), and then click NEXT.

    Certificate Upload

  5. Click SELECT KEY, select the PCoIP Management Console’s private key certificate file (*.key), and then click NEXT.

    Certificate Key

  6. Click SELECT CHAIN, select the PCoIP Management Console’s chain certificate file (*.pem), and then click NEXT.

    Certificate Apply

  7. Click Apply.

  8. Read the warning message and then click APPLY.

  9. When the update process completes, click LOGIN to log in to the PCoIP Management Console again.

    Certificate Login

Step 2: Update Your DHCP/DNS Server with the PCoIP Management Console Server’s Public Key Certificate Fingerprint

If your DHCP or DNS server is configured to provision endpoints with the PCoIP Management Console’s public key certificate fingerprint, this information must be updated next. You can update your server with your PCoIP Management Console certificate fingerprint as follows:

  • DHCP server: Edit the EBM X.509 SHA-256 fingerprint option for the PCoIP Endpoint option class. For details, see Configuring DHCP Options.

  • DNS server: Edit the EBM-SHA-256-fingerprint DNS text record. For details, see Adding a DNS TXT Record.

Step 3: Upload a PCoIP Management Console Certificate to Your Endpoints

If your endpoints are configured with a discovery method and security level that require them to have a PCoIP Management Console certificate in their trusted certificate store before they can connect to the PCoIP Management Console, you can either upload the PCoIP Management Console certificate for a group of endpoints using a PCoIP Management Console profile, or you can upload the PCoIP Management Console certificate locally using each endpoint’s AWI. Depending on your security requirements, you can upload either a PCoIP Management Console issuer certificate (that is, the root CA certificate (or intermediate certificate) that was used to issue a PCoIP Management Console server certificate) or you can upload the PCoIP Management Console server’s public key certificate.

Installing the PCoIP Management Console Certificate in Your Browser

If you wish to avoid browser certificate warnings when you access the PCoIP Management Console’s web interface, you can install a PCoIP Management Console certificate in your browser. You can use either a PCoIP Management Console issuer certificate or the PCoIP Management Console server’s public key certificate. For more information, see How do I get the fix the unsecure browser warning when accessing the Management Console 2.x and 3.x web interface? (1406)

Reverting to the Default Self-signed PCoIP Management Console Certificate

Note: Reverting the default certificate disables all users and causes application to restart

Reverting the PCoIP Management Console to its self-signed certificate disables all PCoIP Management Console users and causes the PCoIP Management Console application to restart. Users will not be able to access the PCoIP Management Console for one to two minutes.

To revert to the default PCoIP Management Console certificate:

  1. From the PCoIP Management Console’s top menu, click SETTINGS.

  2. Click SECURITY in the left pane.

  3. Click REVERT SELF-SIGNED CERTIFICATE.

  4. Read the warning message and then click APPLY.

    Self Signed Cert Dialog

  5. When the update process completes, click LOGIN to log in to the PCoIP Management Console again.